Trust Assessment
office365-connector received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Data Exfiltration via Arbitrary URL in Graph API Requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Data Exfiltration via Arbitrary URL in Graph API Requests The `graphRequest` function, used across multiple skill files, constructs a URL using `new URL(path, 'https://graph.microsoft.com')`. If the `path` argument, which is derived directly from untrusted command-line input (e.g., `eventId`, `emailId`, `messageId`), is an absolute URL (e.g., `http://evil.com/`), the `URL` constructor will override the base URL. This allows an attacker to craft a malicious input that causes the skill to send the user's Microsoft Graph access token in the `Authorization` header to an arbitrary external server, leading to credential exfiltration. Modify the `graphRequest` function to explicitly validate or enforce the hostname. Before making the request, ensure that `url.hostname` is strictly `graph.microsoft.com`. For example, add a check like `if (url.hostname !== 'graph.microsoft.com') { throw new Error('Invalid hostname'); }` after `new URL(...)` or ensure the `path` argument is always a relative path and does not contain a scheme (e.g., `http://`). This vulnerability also exists in `email.js` and `send-email.js` due to their use of the same `graphRequest` pattern. | LLM | cancel-event.js:13 | |
| CRITICAL | Data Exfiltration via Arbitrary URL in Graph API Requests The `graphRequest` function, used across multiple skill files, constructs a URL using `new URL(path, 'https://graph.microsoft.com')`. If the `path` argument, which is derived directly from untrusted command-line input (e.g., `eventId`, `emailId`, `messageId`), is an absolute URL (e.g., `http://evil.com/`), the `URL` constructor will override the base URL. This allows an attacker to craft a malicious input that causes the skill to send the user's Microsoft Graph access token in the `Authorization` header to an arbitrary external server, leading to credential exfiltration. Modify the `graphRequest` function to explicitly validate or enforce the hostname. Before making the request, ensure that `url.hostname` is strictly `graph.microsoft.com`. For example, add a check like `if (url.hostname !== 'graph.microsoft.com') { throw new Error('Invalid hostname'); }` after `new URL(...)` or ensure the `path` argument is always a relative path and does not contain a scheme (e.g., `http://`). This vulnerability also exists in `cancel-event.js` and `send-email.js` due to their use of the same `graphRequest` pattern. | LLM | email.js:13 | |
| CRITICAL | Data Exfiltration via Arbitrary URL in Graph API Requests The `graphRequest` function, used across multiple skill files, constructs a URL using `new URL(path, 'https://graph.microsoft.com')`. If the `path` argument, which is derived directly from untrusted command-line input (e.g., `eventId`, `emailId`, `messageId`), is an absolute URL (e.g., `http://evil.com/`), the `URL` constructor will override the base URL. This allows an attacker to craft a malicious input that causes the skill to send the user's Microsoft Graph access token in the `Authorization` header to an arbitrary external server, leading to credential exfiltration. Modify the `graphRequest` function to explicitly validate or enforce the hostname. Before making the request, ensure that `url.hostname` is strictly `graph.microsoft.com`. For example, add a check like `if (url.hostname !== 'graph.microsoft.com') { throw new Error('Invalid hostname'); }` after `new URL(...)` or ensure the `path` argument is always a relative path and does not contain a scheme (e.g., `http://`). This vulnerability also exists in `cancel-event.js` and `email.js` due to their use of the same `graphRequest` pattern. | LLM | send-email.js:13 |
Scan History
Embed Code
[](https://skillshield.io/report/6706d407b327f120)
Powered by SkillShield